Class: Aws::CloudFront::Types::ViewerCertificate

Inherits:
Struct
  • Object
show all
Includes:
Structure
Defined in:
lib/aws-sdk-cloudfront/types.rb

Overview

Note:

When making an API call, you may pass ViewerCertificate data as a hash:

{
  cloud_front_default_certificate: false,
  iam_certificate_id: "string",
  acm_certificate_arn: "string",
  ssl_support_method: "sni-only", # accepts sni-only, vip
  minimum_protocol_version: "SSLv3", # accepts SSLv3, TLSv1, TLSv1_2016, TLSv1.1_2016, TLSv1.2_2018
  certificate: "string",
  certificate_source: "cloudfront", # accepts cloudfront, iam, acm
}

A complex type that specifies the following:

  • Whether you want viewers to use HTTP or HTTPS to request your objects.

  • If you want viewers to use HTTPS, whether you’re using an alternate domain name such as ‘example.com` or the CloudFront domain name for your distribution, such as `d111111abcdef8.cloudfront.net`.

  • If you’re using an alternate domain name, whether AWS Certificate Manager (ACM) provided the certificate, or you purchased a certificate from a third-party certificate authority and imported it into ACM or uploaded it to the IAM certificate store.

You must specify only one of the following values:

  • ViewerCertificate$ACMCertificateArn

  • ViewerCertificate$IAMCertificateId

  • ViewerCertificate$CloudFrontDefaultCertificate

Don’t specify ‘false` for `CloudFrontDefaultCertificate`.

**If you want viewers to use HTTP instead of HTTPS to request your objects**: Specify the following value:

‘<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>`

In addition, specify ‘allow-all` for `ViewerProtocolPolicy` for all of your cache behaviors.

**If you want viewers to use HTTPS to request your objects**: Choose the type of certificate that you want to use based on whether you’re using an alternate domain name for your objects or the CloudFront domain name:

  • **If you’re using an alternate domain name, such as example.com**: Specify one of the following values, depending on whether ACM provided your certificate or you purchased your certificate from third-party certificate authority:

    • ‘<ACMCertificateArn>ARN for ACM SSL/TLS certificate<ACMCertificateArn>` where ` ARN for ACM SSL/TLS certificate ` is the ARN for the ACM SSL/TLS certificate that you want to use for this distribution.

    • ‘<IAMCertificateId>IAM certificate ID<IAMCertificateId>` where ` IAM certificate ID ` is the ID that IAM returned when you added the certificate to the IAM certificate store.

    If you specify ‘ACMCertificateArn` or `IAMCertificateId`, you must also specify a value for `SSLSupportMethod`.

    If you choose to use an ACM certificate or a certificate in the IAM certificate store, we recommend that you use only an alternate domain name in your object URLs (‘`). If you use the domain name that is associated with your CloudFront distribution (such as ``) and the viewer supports `SNI`, then CloudFront behaves normally. However, if the browser does not support SNI, the user’s experience depends on the value that you choose for ‘SSLSupportMethod`:

    • ‘vip`: The viewer displays a warning because there is a mismatch between the CloudFront domain name and the domain name in your SSL/TLS certificate.

    • ‘sni-only`: CloudFront drops the connection with the browser without returning the object.

  • If you’re using the CloudFront domain name for your distribution, such as d111111abcdef8.cloudfront.net : Specify the following value:

    ‘<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate> `

If you want viewers to use HTTPS, you must also specify one of the following values in your cache behaviors:

  • ‘ <ViewerProtocolPolicy>https-only<ViewerProtocolPolicy>`

  • ‘<ViewerProtocolPolicy>redirect-to-https<ViewerProtocolPolicy>`

You can also optionally require that CloudFront use HTTPS to communicate with your origin by specifying one of the following values for the applicable origins:

  • ‘<OriginProtocolPolicy>https-only<OriginProtocolPolicy> `

  • ‘<OriginProtocolPolicy>match-viewer<OriginProtocolPolicy> `

For more information, see [Using Alternate Domain Names and HTTPS] in the *Amazon CloudFront Developer Guide*.

[1]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#CNAMEsAndHTTPS

Instance Attribute Summary collapse

Instance Attribute Details

#acm_certificate_arnString

For information about how and when to use ‘ACMCertificateArn`, see ViewerCertificate.

Returns:

  • (String)


7734
7735
7736
7737
7738
7739
7740
7741
7742
7743
# File 'lib/aws-sdk-cloudfront/types.rb', line 7734

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  include Aws::Structure
end

#certificateString

This field has been deprecated. Use one of the following fields instead:

  • ViewerCertificate$ACMCertificateArn

  • ViewerCertificate$IAMCertificateId

  • ViewerCertificate$CloudFrontDefaultCertificate

Returns:

  • (String)


7734
7735
7736
7737
7738
7739
7740
7741
7742
7743
# File 'lib/aws-sdk-cloudfront/types.rb', line 7734

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  include Aws::Structure
end

#certificate_sourceString

This field has been deprecated. Use one of the following fields instead:

  • ViewerCertificate$ACMCertificateArn

  • ViewerCertificate$IAMCertificateId

  • ViewerCertificate$CloudFrontDefaultCertificate

Returns:

  • (String)


7734
7735
7736
7737
7738
7739
7740
7741
7742
7743
# File 'lib/aws-sdk-cloudfront/types.rb', line 7734

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  include Aws::Structure
end

#cloud_front_default_certificateBoolean

For information about how and when to use ‘CloudFrontDefaultCertificate`, see ViewerCertificate.

Returns:

  • (Boolean)


7734
7735
7736
7737
7738
7739
7740
7741
7742
7743
# File 'lib/aws-sdk-cloudfront/types.rb', line 7734

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  include Aws::Structure
end

#iam_certificate_idString

For information about how and when to use ‘IAMCertificateId`, see ViewerCertificate.

Returns:

  • (String)


7734
7735
7736
7737
7738
7739
7740
7741
7742
7743
# File 'lib/aws-sdk-cloudfront/types.rb', line 7734

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  include Aws::Structure
end

#minimum_protocol_versionString

Specify the security policy that you want CloudFront to use for HTTPS connections. A security policy determines two settings:

  • The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers

  • The cipher that CloudFront uses to encrypt the content that it returns to viewers

<note markdown=“1”> On the CloudFront console, this setting is called **Security policy**.

</note>

We recommend that you specify ‘TLSv1.1_2016` unless your users are using browsers or devices that do not support TLSv1.1 or later.

When both of the following are true, you must specify ‘TLSv1` or later for the security policy:

  • You’re using a custom certificate: you specified a value for ‘ACMCertificateArn` or for `IAMCertificateId`

  • You’re using SNI: you specified ‘sni-only` for `SSLSupportMethod`

If you specify ‘true` for `CloudFrontDefaultCertificate`, CloudFront automatically sets the security policy to `TLSv1` regardless of the value that you specify for `MinimumProtocolVersion`.

For information about the relationship between the security policy that you choose and the protocols and ciphers that CloudFront uses to communicate with viewers, see [ Supported SSL/TLS Protocols and Ciphers for Communication Between Viewers and CloudFront] in the *Amazon CloudFront Developer Guide*.

[1]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers

Returns:

  • (String)


7734
7735
7736
7737
7738
7739
7740
7741
7742
7743
# File 'lib/aws-sdk-cloudfront/types.rb', line 7734

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  include Aws::Structure
end

#ssl_support_methodString

If you specify a value for ViewerCertificate$ACMCertificateArn or for ViewerCertificate$IAMCertificateId, you must also specify how you want CloudFront to serve HTTPS requests: using a method that works for all clients or one that works for most clients:

  • ‘vip`: CloudFront uses dedicated IP addresses for your content and can respond to HTTPS requests from any viewer. However, you will incur additional monthly charges.

  • ‘sni-only`: CloudFront can respond to HTTPS requests from viewers that support Server Name Indication (SNI). All modern browsers support SNI, but some browsers still in use don’t support SNI. If some of your users’ browsers don’t support SNI, we recommend that you do one of the following:

    • Use the ‘vip` option (dedicated IP addresses) instead of `sni-only`.

    • Use the CloudFront SSL/TLS certificate instead of a custom certificate. This requires that you use the CloudFront domain name of your distribution in the URLs for your objects, for example, ‘`.

    • If you can control which browser your users use, upgrade the browser to one that supports SNI.

    • Use HTTP instead of HTTPS.

Don’t specify a value for ‘SSLSupportMethod` if you specified `<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>`.

For more information, see [Using Alternate Domain Names and HTTPS] in the *Amazon CloudFront Developer Guide*.

[1]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#CNAMEsAndHTTPS.html

Returns:

  • (String)


7734
7735
7736
7737
7738
7739
7740
7741
7742
7743
# File 'lib/aws-sdk-cloudfront/types.rb', line 7734

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  include Aws::Structure
end